0day padding oracle exploit on PAN-OS master key decryption?

KurtHinson — Thu, 04 Aug 2022 13:49:11 GMT

Ran across this and am wondering if this is truly a new 0 Day or related to a previous RCE from a little while back regarding the default Master Key? https://twitter.com/rqu50/status/1554566757704089600 There is proof of concept code for this.

Re: 0day padding oracle exploit on PAN-OS master key decryption?

JayGolf — Fri, 12 Aug 2022 04:49:11 GMT

Hi @KurtHinson ,

Thanks for bringing this to the LiveCommunity's attention. I would also recommend bringing this up with your SE to raise more awareness towards the ability of this code to determine whether or not a default master key is being used. It does not look like an immediate risk for RCE, but for best practice please modify the master key prior to deploying firewalls in your environment.

topic 0day padding oracle exploit on PAN-OS master key decryption? in General Topics

0day padding oracle exploit on PAN-OS master key decryption?

Re: 0day padding oracle exploit on PAN-OS master key decryption?